VYPR
Vypr IntelligenceAI-generatedJun 10, 2026· 12 CVEs

QNAP QTS: Critical Command Injection and XSS Flaws Disclosed in Batch

QNAP addressed a cluster of 12 vulnerabilities in its QTS operating system, including critical command injection and high-severity XSS flaws, with patches released on June 9-10, 2026.

Key findings

  • Twelve QNAP QTS vulnerabilities disclosed between June 9-10, 2026.
  • Includes critical and high-severity command injection flaws allowing arbitrary code execution.
  • A high-severity XSS vulnerability (CVE-2026-41539) also disclosed.
  • Other vulnerabilities include path traversal, DoS, integer overflow, and buffer overflow.
  • Patches are available for affected QTS versions, with specific build numbers provided.

QNAP has released security updates to address a significant batch of twelve vulnerabilities affecting its QTS operating system. The disclosures, spanning June 9th and 10th, 2026, include critical and high-severity flaws that could allow remote attackers to execute arbitrary commands or perform cross-site scripting attacks.

Several command injection vulnerabilities, rated High and Critical, were disclosed. CVE-2026-24719, CVE-2026-22893, CVE-2025-66279, and CVE-2025-66273 all allow remote attackers with administrator privileges to execute arbitrary commands on affected systems. A particularly critical flaw, CVE-2025-66276, also rated Critical, was fixed in QTS 5.2.7.3256 build 20250913 and later. These command injection flaws pose a severe risk, potentially allowing attackers to take full control of compromised devices.

Adding to the severity, a cross-site scripting (XSS) vulnerability, CVE-2026-41539, was also disclosed. This High-severity flaw could enable remote attackers to bypass security mechanisms or read application data, impacting users who interact with the QTS interface.

Other vulnerabilities addressed in this batch include path traversal (CVE-2026-24717), NULL pointer dereferences leading to denial-of-service (DoS) attacks (CVE-2026-24716 and CVE-2025-66281), an integer overflow or wraparound issue that could compromise system security (CVE-2025-66280), and a buffer overflow vulnerability (CVE-2025-62858) that could lead to memory corruption or process crashes.

QNAP has provided patches for these vulnerabilities, with fixes integrated into various QTS versions. For instance, CVE-2026-24719 was fixed in QTS 5.2.9.3492 build 20260, while CVE-2025-66281 was addressed in QTS 5.2.9.3410 build 20250214 and later. Users are strongly advised to update their QNAP devices to the latest available firmware to mitigate these risks. Some advisories noted that specific versions like QuTS hero, QuTScloud, or certain QTS builds were not affected by particular vulnerabilities, but a comprehensive update is recommended.

This coordinated disclosure highlights ongoing security challenges for network-attached storage (NAS) devices, which often store sensitive data. The presence of critical command injection flaws underscores the importance of prompt patching and robust security practices for administrators managing QNAP systems.

AI-written article. Grounded in 12 CVE records listed below.